In-place Hash Comparison with Sleuthkit and CoreUtils on Windows

less than 1 minute read

In this video we talk about how to do in-place file hash comparison from a disk image. We use the Sleuthkit and CoreUtils on Windows to extract file data, create an MD5 hash of the file data and use hfind to search a hash database.

Specifically, we analyze an Expert Witness File (E01). First we use mmls to extract partition information from the physical disk image. From that we can extract the partition offset. With the partition offset, we can use FLS to list the files in the partition. We show how to use icat and fcat to extract file data using the file inode or the file name. We feed the icat output into md5sum (coreUtils) and cut everything except the md5 hash value. Finally, we pipe the hash value into hfind (sleuthkit) to search whether the hash value is in the known database.

Install Sleithkit on Windows: https://youtu.be/1fIhQR5Rvdk
Install CoreUtils on Windows: https://youtu.be/m6Si0-Ac5Kc

Share on

Twitter Facebook LinkedIn

Joshua I. James

In-place Hash Comparison with Sleuthkit and CoreUtils on Windows

Share on

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

What data can you find in RAM?

Modular artifact scripts coming to iLEAPP

Forensic 4:Cast Awards - The real award is DFriends we made along the way